Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 06 October 2016 13:39 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1048129657 for <mmusic@ietfa.amsl.com>; Thu, 6 Oct 2016 06:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kURSxd2HssqW for <mmusic@ietfa.amsl.com>; Thu, 6 Oct 2016 06:39:09 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CE6E129653 for <mmusic@ietf.org>; Thu, 6 Oct 2016 06:39:09 -0700 (PDT)
X-AuditID: c1b4fb3a-aa3ff7000000099a-9a-57f653fa36dd
Received: from ESESSHC022.ericsson.se (Unknown_Domain [153.88.183.84]) by (Symantec Mail Security) with SMTP id AC.79.02458.AF356F75; Thu, 6 Oct 2016 15:39:07 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.86) with Microsoft SMTP Server id 14.3.301.0; Thu, 6 Oct 2016 15:39:05 +0200
To: Christer Holmberg <christer.holmberg@ericsson.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>, "mmusic@ietf.org" <mmusic@ietf.org>
References: <D41C238A.1095B%christer.holmberg@ericsson.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <71419d1f-af1d-46e9-401d-81c5df73fc49@ericsson.com>
Date: Thu, 06 Oct 2016 15:39:05 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <D41C238A.1095B%christer.holmberg@ericsson.com>
Content-Type: text/plain; charset="windows-1254"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJLMWRmVeSWpSXmKPExsUyM2J7iO7v4G/hBid/aVhMXf6YxWLFhgOs Dkwef99/YPJYsuQnUwBTFJdNSmpOZllqkb5dAlfG0iMT2AomCFc8+fyGtYHxPH8XIyeHhICJ xL6Z51i7GLk4hATWM0r83HIRylnGKNHU18fWxcjBISyQLzF9Sh1IXESgmVHi2vnlLCDdQgLW EpevrGMHsdkELCRu/mhkA7F5BewlDt5YzghiswioSJy+dhcsLioQI3H92SOoGkGJkzOfgM3h FLCR2HsYYg4zUO+6mUegbHmJ5q2zmSF2aUs0NHWwTmDkn4WkfRaSlllIWhYwMq9iFC1OLS7O TTcy0kstykwuLs7P08tLLdnECAzAg1t+W+1gPPjc8RCjAAejEg/vAvuv4UKsiWXFlbmHGCU4 mJVEeFmCvoUL8aYkVlalFuXHF5XmpBYfYpTmYFES5zVbeT9cSCA9sSQ1OzW1ILUIJsvEwSnV wLhSINRSiE36kYMgb5m85qfX1ul31zbW7jxiG79yAvuTp/3HZaoXrbm5r7AqXZnXPvlIzO65 VddPynwWWlzLs/bWhYQploF69+X+Tk+q1189bVtv4J91aqJVSXJelyw6xCfH/fT+voxd5vnL 7W0GVUs25tz8n3vz/c3/dtKfLv+b9bNGvlj2gIgSS3FGoqEWc1FxIgD4DPvpPAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/kSJT7qzlucyoeCSMrkXXvJoIsag>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 13:39:13 -0000
Den 2016-10-06 kl. 14:49, skrev Christer Holmberg: > > Hi, > > Magnus suggested usage of RFC 6904 for encryption of the RTP SDES header > extension for MID. I guess it would be a SHUOLD? > > In addition, we would say that a corresponding level of security must be > applied to the RTP SDES header extension for MID and to the RTCP SDES MID > item. > > Any opinions? I think this is fine solution to this issue. I would probably formulate the security considerations like this. The identfication-tag when included in the RTP MID SDES item, independent of transport, RTCP SDES packet or RTP header extension, can expose the value to parties beyond the signaling chain. Therefore, the identification-tag MUST NOT contain any user related information. However, the implementation's method for generating identfication-tags combined with hardware configuration can enable fingerprinting of the endpoint device and thus its user. As the identification-tag is also used to route the media stream to the right application functionality it is also important that the value received is the one intended by the sender, thus integrity and the authenticity of the source are important to prevent denial of service on the application. At least to prevent third parties from modifying the identification-tag value. Due to the security risks associated with the MID values in RTP and RTCP it is strongly RECOMMENDED that the MID SDES item is both confidentiality protected as well as source authenticated when transported in either RTCP or RTP header extensions. The security mechanisms used SHALL provide corresponding levels of security for both RTP header extensions and RTCP. Confidentiality mechanisms for RTP/RTCP are discussed in Options for Securing RTP Sessions [RFC7201], for example SRTP [RFC3711] with SRTCP encryption enabled combined with [RFC6904] can provide the necessary security functions. Cheers Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Jonathan Lennox
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- [MMUSIC] BUNDLE - MID Security - Updated text pro… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Cullen Jennings
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Adam Roach
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Ted Hardie
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund